Privacy Policy

Last updated: April 2026

1. Introduction

MADAR is a fleet tracking and management platform fully owned by Safe Corner Establishment (Al-Zawiya Al-Amena), Commercial Registration No. 1010607800, Riyadh — Al-Rawdah District, Ubadah ibn Al-Samit Street. MADAR is committed to protecting personal data and processing it in accordance with the Personal Data Protection Law (PDPL) issued by Royal Decree No. (M/19) dated 9/2/1443H, as amended by Royal Decree No. (M/148) dated 5/9/1444H, and its implementing regulations, under the supervision of the Saudi Data and Artificial Intelligence Authority (SDAIA). This policy applies to all data collection and processing activities resulting from the use of the MADAR platform, including vehicle tracking, dash camera streaming, automated safety alerts, and maintenance management.

2. Data Controller & Processor Identity

Safe Corner Establishment (Al-Zawiya Al-Amena), Commercial Registration No. 1010607800, is the data controller for personal data related to accounts, system security, operational logs, technical support, and billing. Address: Riyadh — Al-Rawdah District, Ubadah ibn Al-Samit Street For data generated by in-vehicle devices (video, location, driver behavior alerts), the customer (fleet owner) is the data controller with respect to data subjects (drivers and others), and MADAR acts as a data processor on their behalf according to their instructions and under the contract and data processing agreement. Where data relates to drivers or vehicles managed by the customer, the customer is the primary controller with respect to data subjects, and requests related to such data are referred to the customer or handled in coordination with them. For data protection inquiries: • Email: privacy@safecorner.sa

3. Types of Personal Data Processed

a) Data collected via camera devices: • Live video streaming and recordings from vehicle cameras • Photos and videos associated with safety alerts (stored automatically) • Continuous GPS location data (latitude, longitude, speed, direction) • Automatically classified driver behavior alerts (fatigue, distraction, phone use, seatbelt, smoking) • Mileage data and route history b) Account data: • Full name • Email address • Password (encrypted and not accessible) • Date of terms and conditions acceptance c) Technical data: • IP address and browser type • Access and usage logs Collection of account data (name and email) is mandatory to provide the service. Vehicle data is collected automatically via devices installed by the customer.

4. Legal Basis for Data Processing

Data is processed according to the appropriate legal basis for each purpose, which may include: • Performance of contractual obligations: Providing platform services agreed upon in the subscription contract (primary basis for account data and service operation). • Legitimate interest: Road safety, fleet management, and incident detection, provided it does not prejudice the rights and interests of the data subject, and is not used for processing sensitive data (Article 6, paragraph 4). • Compliance with legal obligations: Responding to requests from competent government authorities. • Data subject consent: Where required by law or where processing depends on it, such as biometric use for personal identification. Consent is documented electronically with the date and method recorded (Article 11). The legal basis is determined independently for each processing activity, and consent is not the sole or default basis for all operations.

5. Processing Purposes

Data is processed for the following specific purposes only: • Providing real-time vehicle tracking • Live streaming from dash cameras • Issuing automated safety alerts (ADAS, DSM, BSD) • Storing alert attachments (video and photos) for incident documentation • Vehicle maintenance management and scheduling • Sending real-time safety notifications • Improving service performance and stability • Compliance with regulations Data is used only for the purposes listed above or for any subsequent purpose that is lawfully compatible with the original purpose and based on a valid legal basis, with appropriate notice provided where required.

6. Automated Processing & Profiling

The platform uses AI systems embedded in camera devices to automatically analyze driving behavior, including: • ADAS system: Road hazard detection (forward collision, lane departure, close distance, pedestrians, obstacles) • DSM system: Driver monitoring (fatigue, distraction, phone use, smoking, seatbelt, yawning) • BSD system: Blind spot detection (rear approach) These systems generate automatic alerts classified by severity (critical, warning, info) with photos and video stored as attachments. No decisions that directly affect individuals are made based on automated processing alone — alerts are assistive tools and final decisions (such as disciplinary actions) rest exclusively with the fleet owner. Safeguards in place: Encryption in transit and at rest, role-based access control, full audit logging of all operations.

7. Data Nature & Sensitivity Level

Some video recordings may contain images of drivers' or others' faces, which constitute personal data and may qualify as sensitive data (as defined in Article 1, paragraph 11) if biometric features are used for the purpose of identifying or verifying a person's identity. Precise and continuous geographic location data is considered personal data of high operational and privacy sensitivity, and is subject to enhanced protection measures, even though it is not explicitly listed in the statutory definition of sensitive data. All such data is subject to enhanced security measures including encryption, access control, and audit logging.

8. Consent and Withdrawal Mechanism

Your consent is obtained upon registration on the platform in an explicit and electronically verifiable manner, with the date and method of consent recorded. You have the right to withdraw your consent at any time by: • Sending a request to: privacy@safecorner.sa • Through in-platform support channels Withdrawal procedures are equivalent to or easier than consent procedures. Upon withdrawal: • Processing will be stopped without undue delay • Withdrawal does not affect the lawfulness of processing performed prior to it • Withdrawal may result in the inability to use some or all platform services • Processing based on other legal bases (such as contractual or legal obligations) will continue

9. Data Sharing & Disclosure

MADAR does not sell personal data. MADAR discloses personal data only to the extent necessary, for a legitimate and specific purpose, based on a valid legal basis, and in compliance with the restrictions and controls stipulated in the law. Data may be disclosed in the following cases: • To technical service providers (cloud storage, streaming servers) under binding data processing agreements that include the purpose of processing, data categories, duration, and security obligations • To competent government authorities upon legal request, with documentation of the disclosure request and types of data requested Disclosure is limited to the minimum data necessary to achieve the purpose. All disclosure operations are documented in processing activity records.

10. Cross-Border Data Transfer

Data is primarily stored within the Kingdom of Saudi Arabia. If any data is transferred outside the Kingdom (such as certain cloud storage services or backups), this is done in accordance with SDAIA-approved controls, ensuring: • An equivalent level of data protection in the receiving country • Binding agreements with receiving entities that include data protection obligations • Documentation of transfers in processing activity records with legal justifications • Identification of countries and regions where data is transferred and assessment of protection levels therein

11. Data Retention & Destruction

Data is processed and retained according to the data minimization principle, collecting only the minimum necessary: • Alerts and attachments (video and photos): 90 days by default, unless a different period is agreed upon in writing as part of the contractual plan. After expiry, data is deleted from active systems automatically, and removed from backups according to the approved secure technical cycle • Location and telemetry data: Retained for operational and analytical purposes according to the subscription period • Live streaming: Not stored — streamed in real-time only • Account data: Retained for the duration of the contractual relationship • Processing activity records: Retained for the duration of processing + five years Upon data destruction, entities previously disclosed to are notified and requested to destroy their copies, unless a legal obligation requires otherwise. You may request deletion of your data where lawfully permitted and where it does not conflict with contractual or legal obligations or legitimate retention requirements, via privacy@safecorner.sa

12. Data Security

MADAR implements appropriate technical and organizational measures in accordance with controls and standards issued by the National Cybersecurity Authority (NCA) and recognized best practices: • Encryption in transit (TLS) and at rest • Role-Based Access Control • Password encryption • Full audit logging of all operations • Continuous security monitoring • Secure communication protocols between devices and servers

13. Data Breach Notification

In the event of a personal data breach: • SDAIA will be notified within 72 hours of becoming aware of the incident, including: description of the incident and its timing, affected categories and numbers, potential risks, measures taken to mitigate impact • Affected data subjects will be notified without undue delay in clear and simple language, including: description of the incident, potential risks, recommendations for self-protection, contact information • The incident and corrective measures taken will be documented and records maintained

14. Data Subject Rights

Under the Personal Data Protection Law, data subjects have the following rights: • Right to be informed: Know how their data is collected, the purpose, legal basis, and retention period (Article 4) • Right of access: View their personal data held by us (Article 5) • Right to obtain a copy: In a readable and clear electronic format (Article 6) • Right to rectification: Correct inaccurate, incomplete, or outdated data (Article 7) • Right to destruction: Request deletion of their personal data (Article 8) • Right to withdraw consent: At any time through the means described in Section 8 • Right to file a complaint: With SDAIA within 90 days of the incident or becoming aware of it (Article 37) Requests to exercise rights will be fulfilled within 30 days, extendable by an additional 30 days with prior notice of the extension and its justification. Where MADAR processes certain personal data on behalf of the customer as the controller (such as driver data), the data subject may be required to submit some requests directly to the customer, or MADAR will refer the request to the customer and cooperate in responding to it in accordance with its contractual and legal role. To exercise any of these rights: privacy@safecorner.sa

15. Impact Assessment

Given the nature of data processed (sensitive data, automated processing, continuous monitoring), MADAR commits to preparing a written and documented assessment of the impacts and risks of processing on data subjects, including: • Processing purposes and legal basis • Description of the nature, types, and scope of processing • Assessment of potential risks, their severity, and likelihood • Measures taken to prevent and mitigate risks The impact assessment is reviewed periodically and updated upon any material change in processing operations.

16. User Obligations — Fleet Owner

As the data controller for data generated by your vehicle devices, you acknowledge and commit to: • Obtaining the appropriate legal basis for processing, providing clear notice to relevant individuals, and obtaining explicit consent where required by law • Clearly notifying drivers of the presence of cameras and tracking systems in vehicles and their purposes • Complying with surveillance, recording, and labor laws in the Kingdom • Taking responsibility for any unlawful use of data available through the platform • Not using data for purposes beyond fleet management and road safety When MADAR processes data on your behalf, it commits to processing it only according to your instructions, not using it for any other purpose, applying appropriate security measures, and ensuring data confidentiality.

17. Policy Changes

MADAR reserves the right to modify this policy to comply with regulatory or operational changes. Users will be notified of material changes through the platform or email before they take effect, and explicit re-acceptance of updated terms may be required upon next login.

18. Contact

Safe Corner Establishment (Al-Zawiya Al-Amena) Commercial Registration: 1010607800 Address: Riyadh — Al-Rawdah District, Ubadah ibn Al-Samit Street For privacy and data protection inquiries: • Email: privacy@safecorner.sa • Through in-platform support channels You may also file a complaint with the Saudi Data and Artificial Intelligence Authority (SDAIA) through their official platform: sdaia.gov.sa